WordPress Plugin Vulnerabilities

Caldera Forms Google Sheets Connector < 1.3 - Access Code Update via CSRF

Description

The plugin does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
gsheetconnector-caldera-forms
Fixed in 1.3

References

CVE
CVE-2023-2330

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
fa8ccdd0-7b23-4b12-9aa9-4b29d47256b8

Timeline

Publicly Published
2023-06-26 (about 2 years ago)
Added
2023-06-26 (about 2 years ago)
Last Updated
2023-08-16 (about 2 years ago)

Other

Published
Title
Published
2024-10-30
Title
Domain Sharding <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2018-05-28
Title
WooCommerce Checkout For Digital Goods <= 2.1 - CSRF to Settings Change
Published
2025-09-05
Title
Compact Admin <= 1.3.0 - Cross-Site Request Forgery
Published
2025-10-23
Title
IndieAuth < 4.5.5 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens
Published
2023-01-20
Title
Category Specific RSS feed Subscription < 2.2 - Settings Update via CSRF